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Information Commissioner's Office 


ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


O Yes 


xl No 


Q2 If not, please specify where improvements could be made. 


We are encouraged by the draft COP provided for consultation and 
consider that there are opportunities to further develop the document to 
provide clearer support for organisations and individuals in relation to 
this complex subject. 


Q3 Does the draft code cover the right issues about data sharing? 


O Yes 


xX] No 
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Q4 If no, what other issues would you like to be covered in it? 


The structure and content (in particular the level of detail included) is 
variable throughout the document. It is very high level in places and 
detailed in others and as a COP, it is suggested that there would be 
benefit from consistency on the level of content throughout the 
document. 


Further detail on the subject of DPA Part 3 (law enforcement) 
information sharing and in particular the sharing of information for 
alternate processes (i.e. Part 3 to Part 2) processing is necessary. There 
are gaps in these areas that are evident in comparison to the content of 
the COP in relation to GDPR 


Q5 Does the draft code contain the right level of detail? 


O Yes 


x] No 


Q6 Ifno, in what areas should there be more detail within the draft 
code? 


In addition to response to Q4 above, it is suggested that the worked 
examples throughout the document lack sufficient detail to allow them 
to be used effectively to understand the considerations that will be 
required in each instance. Therefore, whilst useful in principle, they are 
too broad and open to misinterpretation to be of particular value. 


In addition, it would be useful if the COP included clarification on 
whether the worked examples have been tested against the various 
legislatures in the UK. It is noted that this is UK-wide COP, however 
references are to FOIA not FOISA or other equivalent legislation 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


xX No 
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Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


It is suggested that the section(s) on law enforcement processing and 
references to it needs to be expanded. When compared against the COP 
content for GDPR, LE processing is fragmented and lacks equivalent 
detail or information. It may be worthwhile considering a much larger 
single section in the COP on this subject, bringing all elements together 
to create a more focussed, detailed section, under the wider and more 
general COP. As an example, pg51 highlights that there is a difference 
in relation to the rights of an individual; the COP then provides the 
detail in relation to DPA Pt2, but is silent on DPA Pt3 until Pg55 which 
gives only minimal details, demonstrating a lack of consistency in the 
draft COP 


Pg40 “The first case” 

It is suggested that a worked example in relation to consent by the data 
subject to data sharing for LE purpose would be useful, particularly if it 
also addressed the imbalance of power 


p63 - confusing example? Sharing with Social Work is under GDPR (Part 
2 to Part 3) although Police will provide extra detail under Part 3. As a 
general point on examples, some (e.g. p66) would benefit from more 
detail to show workable steps to sharing and possible alternative routes 
to compliance. 


p65 (para 3) - "if you are not a competent authority" - indicates an 
expectation that a non-law enforcement reader will be reading the Part 
3 section of the Code of Practice? Does this section not then need to be 
moved to, or replicated in the general Part 2 section? 


p65 - is there a requirement to spell out the different circumstances in 
which DPA Schedule 2, paragraph 2 (1) may apply rather than Schedule 
1 (and vice versa). 


p66 - as above, the example doesn't clarify things. Cites sharing under 
Schedule 1, but considered it may be more likely to be under Schedule 
2, paragraph 2 (1) in this particular example. 


p66 - hyperlink to general ICO website. Could a more specific hyperlink 
be provided to a relevant section? (I assume it will be 
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to- 
law-enforcement-processing/ ) 
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p67 - gang database example, we have concerns around using an 
example that appears to suggest sharing an unredacted intelligence 
database with a local authority. Unclear what the aim of the example is. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


X No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


Pg23 ‘Are we allowed to share the information’ 

This section focuses on whether there are any restrictions on sharing, 
but there is no counter-measure to check what allows/facilitates sharing 
- i.e. what is the enabler; this is not addressed until pg27. A more 
structured relationship between the two sections would be easier for the 
reader to understand. 


Pg27 Lawful basis for sharing 

We are unsure why public sector organisations are being directed to 
define legal powers to share in an agreement (which we are in 
agreement with), but this direction is not extended to other 
organisations 

Pg27 Access and Individual Rights 

We found para 2 of this section particularly confusing; it can be read to 
suggest that one individual has responsibility for all shared data where 
there is no joint controller relationship. We do not think this is intended 


Pg38 Information Governance 

We do not agree that common rules for retention and deletion of share 
data are necessary except in joint controller relationships or instances 
where the shared data forms a single dataset or collaborative working 
area. Therefore it is suggested that rules are required. 


Similarly, we do not agree that common technical and organisation 
security arrangements are required, rather that technical and 
organisational security arrangements appropriate to the nature/content 
of the information being shared are required of all parties to a sharing 
agreement. 
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We found this section confusing and suggest that clarity is required, 
perhaps by indicating that different options will be required for sharing 
agreements based on joint controller relationships from those that are 
based on controller to controller relationships 


Pg31 Data Protection principles 

It is suggested that there is an opportunity to be clearer in this section 
that each of the principles must be satisfied every time information is 
shared and that a sharing agreement is a framework to meeting that 
requirement 


In general terms, it is suggested that the practice of developing 
examples in the draft COP on a piecemeal basis causes confusion. 
Examples that are only part worked will suggest to the reader who does 
not read the whole document each time, that certain aspects (that are 
developed in other sections of the COP) are valid, when in fact another 
section of the SOP expands on them. Therefore an alternative would be 
to provide fully worked examples that address all issues at the end of 
the COP 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


O Yes 


x] No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Pg52 - bullet point 3 

We do not consider that this is workable, nor does it allow for different 
controllers to make different (legitimate) decisions regarding individuals’ 
rights. It is also questioned as to whether it could be legal in some 
circumstances. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


Yes 
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Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


Pg35 Example 

We did not find this to be a useful example and suggest that its base 
scenario requires revision. In addition, it does not appear to link to link 
well to the content it follows in the document 


p57 - "Most private and third sector organisations do not need to 
identify a specific [legal] power to share data" - considered that an 
additional word is required for clarification or something to underline 
that they will still need to identify a lawful basis. 


p59 - last sentence considered a bit confusing, perhaps definition of 
"overriding public interest" is required? 


p77 - section mentioning children would benefit from referring to Part 3 
to show that there are exemptions (either here, or in the Part 3 
section). 


p81 - example is of sharing under the GDPR, but one of the examples 
given is a terrorist incident (which obviously is criminal), perhaps 
confuses the issue to include a criminal act. 


p99 - first example on CCTV - possibly inconsistent with the CCTV 
example on p66? Annex D doesn't appear to be referenced anywhere 
else in the document and it isn't clear if these are intended as examples 
of good practice. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 
Agree 


O 
O 
O Neither agree nor disagree 
X Disagree 

O 


Strongly disagree 


Qi6 Are you answering as: 
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L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 


X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


Police Service of Scotland 


Thank you for taking the time to share your views and experience. 


